Using volatility will help confirming malware infection or identify how malware keeps its presentence
The “Top10 malware registry launch points” study done by Fsecure can be used as a starting point.
For example Volaility can be used as the following:
- vol.py -f zeus.vmem printkey -K "Microsoft\Windows\CurrentVersion\Run"
- vol.py -f zeus.vmem printkey -K "Microsoft\Windows\CurrentVersion\Runonce"
- vol.py -f zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon
Addition to that the following can be used to identify malware:
- vol.py -f zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\windows" --> check AppInit_DLLs entries
- vol.py -f zeus.vmem printkey -K "Classes\.exe\shell\open\command"
- vol.py -f zeus.vmem printkey -K "Classes\exefile\shell\open\command"
- vol.py -f zeus.vmem printkey -K "Software\Microsoft\Command Processor\AutoRun"
References
No comments:
Post a Comment